Organizations today aren’t single entities—they are interconnected networks of third parties. And while third party relations are critical for success in most businesses, they also leave data more vulnerable to exposure from bad actors. Because of this, vendor risk management (VRM) is becoming an even more important business practice.
Below, we’ve outlined four critical principles all security managers should keep in mind when it comes to vendor risk management.
The 4 Most Important Vendor Risk Management Principles For Security Managers
1. Know which vendors have your critical data.
Fact: You cannot treat all of your vendors equally. Your organization doesn’t have unlimited resources or the ability to scale infinitely, so you need a solid method for vendor evaluations to follow. The cornerstone of managing third parties is placing as much effort as possible into the vendors that are managing, processing, or storing your most critical data.
First, consider your data criticality: Which vendors are handling the most valuable data in your organization? Second, consider your critical services: Which vendors host a critical service for you that isn’t protected or regulated well? Once you evaluate these questions, you should be able to determine where you want to spend the majority of your time and which vendors to prioritize in terms of vendor risk management.
2. Verify that the security posture of the vendor is equal to or better than your own.
Most organizations begin their vendor evaluation processes by reviewing compliance reports from governing bodies like ISO, NIST, or SOC2. These reports are simple communication vehicles that give you a glimpse at the vendor’s current cybersecurity posture.
The problem is, these reports are often subjective, unverifiable, and unactionable—a triple threat against proper vendor risk management principles. What’s more, the reports are subject to human fallibility, misunderstanding, misinterpretation, and error, and they can eat away at time from both parties involved.
Therefore, many modern organizations are turning to publicly observable metrics, which identify and verify the technical controls a vendor has in place. These metrics are typically mapped to public IP addresses. Signs like poor configurations or a vendor’s public IP address base talking to known malicious sites are indicators that the vendor’s security posture may not be up to par. This is similar to home security: A home with no locks and broken windows is easier to break into than one that is meticulously maintained and updated with the right security tools.
Solutions like Bitsight Security Ratings allow first-party organizations to quickly and easily review their vendors without having to request anything from the third party. These solutions take a time-consuming data collection process and make it as easy as logging into a portal and reviewing a security rating.
3. Ensure that you review third party holistically.
When contracting with a new vendor, you want to be sure that you have the business’s best interests in mind—and this means collaborating across departments and internal groups.
You have to keep in mind that information security and data privacy aren’t the only things that a vendor is analyzed on—legal, finance, and human resources are also important areas of supplier onboarding. For example, if a vendor performs poorly in information security but well in all other categories, you may still choose to work with them. Why? Perhaps they don’t house any critical data or perform any critical services, and a partnership would be mutually beneficial. Conversely, a vendor may perform very highly in information security, but legal or finance is unwilling to accept a particular contractual term. In this instance, it’s important for all parties to look at the business as a whole—not just at their individual disciplines—for the betterment of the company.
4. Trust but verify.
This age-old adage still rings true. Vendor risk management is an evaluation of a continual relationship, not an evaluation of a specific point in time. But without the proper tools, there’s no way to know how the posture of a vendor changes after you’ve signed a contract. With continuous risk monitoring solutions like Bitsight Security Ratings, you’re able to consistently and regularly see how the vendor’s security posture is changing and help mitigate the risk to your own data and network.
In Summary
Vendor risk management must be a priority for all security managers. If you don’t do your due diligence on a vendor before signing on the dotted line, you may be setting yourself up for an information security disaster.
Because this process can be both lengthy and intimidating, we’ve created a guide for security managers that covers the following:
- Basic questions you need to ask all vendors.
- Actionable risk vectors and configurations to keep in mind.
- The impact of continuous risk monitoring software.